CVE-2026-36724 Overview
CVE-2026-36724 is a denial of service vulnerability in FastapiAdmin v2.2.0. The flaw resides in the /application/job/update/{id} endpoint, which fails to handle exceptions raised when processing the func field of scheduled tasks. Authenticated attackers holding the module_task:job:update permission can manipulate this field to trigger an uncaught exception, resulting in service disruption. The weakness is classified under [CWE-400] (Uncontrolled Resource Consumption). Exploitation requires valid authentication and the appropriate task module permission, but no user interaction is needed.
Critical Impact
Authenticated attackers can crash the scheduled task service by submitting a malformed func value to the job update endpoint, disrupting availability of dependent automation workflows.
Affected Products
- FastapiAdmin v2.2.0
- Deployments exposing the /application/job/update/{id} endpoint
- Environments granting the module_task:job:update permission to non-administrative users
Discovery Timeline
- 2026-06-09 - CVE-2026-36724 published to the National Vulnerability Database (NVD)
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-36724
Vulnerability Analysis
FastapiAdmin v2.2.0 exposes a job update endpoint at /application/job/update/{id} that accepts user-controlled fields for scheduled tasks. The func field, which specifies the callable to be executed by the task scheduler, is not validated before being processed. When an attacker supplies an unexpected or malformed value, the application raises an exception that is not caught by the request handler. This propagates upward and disrupts the task scheduling service, producing a denial of service condition.
The vulnerability requires authentication and the module_task:job:update permission. It does not expose data confidentiality or integrity, but availability impact is high because the task scheduler is a shared component used by other automation jobs.
Root Cause
The root cause is missing input validation and missing exception handling around the func parameter in the job update flow. The endpoint trusts client-supplied data and lacks defensive boundaries on the values that may be assigned to a scheduled task callable. Refer to the GitHub Vulnerability Repository for the technical writeup.
Attack Vector
An authenticated user with module_task:job:update rights sends a crafted HTTP request to /application/job/update/{id}. The request body contains a manipulated func field that the application cannot resolve or deserialize. Processing this input raises an uncaught exception inside the scheduler, halting task execution and degrading the FastapiAdmin instance.
No verified proof-of-concept code is published. The GitHub vulnerability repository linked in the references documents the affected request path and field for technical review.
Detection Methods for CVE-2026-36724
Indicators of Compromise
- HTTP PUT or POST requests to /application/job/update/{id} containing unexpected or non-callable values in the func field.
- Application logs showing unhandled exceptions or stack traces originating from the scheduled task update handler.
- Sudden termination or restart of the FastapiAdmin task scheduler process following a job update request.
Detection Strategies
- Inspect web access logs for repeated requests to the job update endpoint correlated with 500-class responses.
- Alert on exception traces emitted by the FastapiAdmin worker that reference the func field or scheduler module.
- Correlate authenticated session activity against the module_task:job:update permission to identify accounts exercising the affected route.
Monitoring Recommendations
- Forward FastapiAdmin application logs to a centralized analytics platform and build queries for unhandled exceptions on the job update endpoint.
- Track availability metrics for the task scheduler service and alert on unplanned restarts.
- Review audit logs for assignments of the module_task:job:update permission to non-administrative roles.
How to Mitigate CVE-2026-36724
Immediate Actions Required
- Restrict the module_task:job:update permission to trusted administrative accounts until a patched release is available.
- Place the FastapiAdmin administrative interface behind network controls so it is not reachable from untrusted networks.
- Enable application-level logging of exceptions on the job update endpoint to detect exploitation attempts.
Patch Information
No vendor advisory or fixed version is listed in the NVD entry for CVE-2026-36724 at the time of publication. Monitor the GitHub Vulnerability Repository and the FastapiAdmin project for an upstream fix.
Workarounds
- Wrap calls to the job update handler with an upstream reverse proxy rule that validates the func field against an allowlist of approved callables.
- Implement a web application firewall rule that blocks job update requests carrying unexpected func payloads.
- Reduce the blast radius by isolating the FastapiAdmin scheduler in a process supervisor that restarts on failure, limiting downtime while a patch is pending.
# Example reverse proxy rule blocking unexpected func payloads
# (nginx fragment - adapt to your environment)
location ~ ^/application/job/update/ {
if ($request_method !~ ^(GET|PUT|POST)$) { return 405; }
if ($request_body !~* '"func"\s*:\s*"(allowed_task_one|allowed_task_two)"') {
return 400;
}
proxy_pass http://fastapiadmin_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
